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Abstract 

Abadi has introduced a logic to explicate the meaning of local names in SDSI, the Simple 
Distributed Security Infrastructure proposed by Rivest and Lampson. Abadi's logic does 
not correspond precisely to SDSI, however; it draws conclusions about local names that do 
not follow from SDSI's name resolution algorithm. Moreover, its semantics is somewhat 
unintuitive. This paper presents the Logic of Local Name Containment, which does not 
suffer from these deficiencies. It has a clear semantics and provides a tight characterization 
of SDSI name resolution. The semantics is shown to be closely related to that of logic 
programs, leading to an approach to the efficient implementation of queries concerning 
local names. A complete axiomatization of the logic is also provided. 



1 Introduction 



Rivest and Lampson [RL96] introduced SDSI — a Simple Distributed Security Infrastructure — 
to facilitate the construction of secure systems.^ In SDSI, principals (agents) are identified with 
public keys. In addition to principals, SDSI allows other names, such as poker-buddies. Rather 
than having a global name space, these names are interpreted locally, by each principal. That 
is, each principal associates with each name a set of principals. Of course, the interpretation of a 
name such as poker-buddies may be different for each agent. However, a principal can "export" 
his bindings to other principals. Thus, Ron may receive a message from the principal he names 
Joe describing a set of principals Joe associates with poker-buddies. Ron may then refer to 
the principals Joe associates with poker-buddies by the expression Joe's poker-buddies. 

Rivest and Lampson [RL96] give an operational account of local names; they provide a name- 
resolution algorithm that, given a principal k and a name n, computes the set of principals 
associated with n according to k. Abadi [Aba98] has provided a logic that, among other 
things, gives a more semantic account of local names. According to Abadi, its purpose "is to 
explain local names in a general, self-contained way, without requiring reference to particular 
implementations." Abadi shows that the SDSI name-resolution algorithm can be captured in 
terms of a collection of sound proof rules in his logic. 

Abadi's focus is on axioms. He constructs a semantics, not with the goal of capturing the 
intended meaning of his constructs, but rather, with the goal of showing that certain formulas 
are not derivable from his axioms. (In particular, he shows that false is not derivable, showing 
that his axioms are consistent.) While adequate for Abadi's restricted goals, his semantics 
validates some formulas that we certainly would not expect to be valid. One consequence of 
this is that, while he is able to pinpoint some potential concerns with the logic, the resolution 
of these concerns is less satisfactory. For example, he observes that adding two seemingly 
reasonable axioms to his logic allows us to reach quite an unreasonable conclusion. However, it 
is not obvious from the semantic intuitions provided by Abadi which (if either) of the axioms 
is unreasonable, or why it is unreasonable. Moreover, while he proves that this particular 
unreasonable conclusion is not derivable in his framework, as we show, a closely related (and 
equally unreasonable) conclusion is in fact valid. This means we have no assurance that it or 
other similar formulas cannot be derived from Abadi's axioms. 

We very much subscribe to Abadi's goal of using a logic to give a general account of naming. 
In this paper, we provide a logic whose syntax is very similar to Abadi's, but whose semantics 
is quite different and, we believe, captures better the meaning we intend the constructs to have. 
Nevertheless, all but one of Abadi's name space axioms are sound in our system. 

We remark that, in a sense, our task is much easier than Abadi's, since we give the con- 
structs in the logic a somewhat narrower reading than he docs. Abadi tends to intertwine and 
occasionally identify issues of naming with issues of rights and delegation. (Such an identifi- 
cation is also implicitly made to some extent in designs such as PolicyMaker [BFL96].) We 
believe that it is important to treat these issues separately. Such a separation allows us to both 

^SDSI now forms the basis for the Simple Pubhc Key Infrastructure (SPKI) standardization work [Gro98]. 
SPKI simphfies some SDSI features (e.g., it eliminates groups) but adds many others. We focus in this paper on 
the core naming features of SDSI — there are some minor differences in the way that SPKI has chosen to handle 
these features, but we believe that our work is equally relevant to the the fragment of SPKI dealing with naming. 
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give a cleaner semantics for each of the relevant notions and to clarify a number of subtleties. 
This paper focuses on naming, which we carefully separate from the other issues; a companion 
paper [HvdMS99] considers authority and delegation. 

We believe that our approach has a number of significant advantages: 

• We can still simulate the SDSI's name resolution algorithm; Abadi's extra axiom is unnec- 
essary. In fact, our logic captures SDSI's name resolution more accurately than Abadi's. 
Abadi's logic can draw conclusions that SDSI's name resolution cannot; our logic, in a 
precise sense, draws exactly the same conclusions as SDSI's name resolution algorithm. 

• According to our semantic intuition, one of Abadi's proposed additional axioms is in fact 
quite unreasonable; it does not hold under our semantics, and it is quite clear why. 

• We are able to provide a sound and complete axiomatization of our logic. Thus, unlike 
Abadi, we have a proof system that corresponds precisely to our semantics. This will 
allow us to prove stronger results than Abadi's about formulas that cannot be derived 
in our framework. Our completeness proof also yields a (provably optimal) NP-complete 
decision procedure for satisfiability of formulas in the logic. 

• Our logic is closely related to Logic Programming. This allows us to translate queries 
about names to Logic Programming queries, and thus use all the well-developed Logic 
Programming technology to deal with such queries. 

• Our approach opens the road to a number of generalizations, which allow us to deal with 
issues like permission, authority, and delegation [HvdMS99]. 

The rest of this paper is organized as follows. In Section 2, we review Abadi's logic and, in 
the process, describe SDSI's naming scheme. We also point out what we see as the problems 
with Abadi's approach. In Section 3, we give the syntax and semantics of our logic, and present 
a complete axiomatization. In Section 4 we show that our logic provides a tight characterization 
of SDSI name resolution. Section 5 deals with the connection between our account of SDSI 
name resolution and logic programming, and Section 6 concerns Self, an additional construct 
considered by Abadi. Section 7 concludes. 

2 SDSI's Name Spaces and Abadi's Logic 

In this section, we briefly review SDSI's naming scheme and Abadi's logic, and discuss our 
criticism of Abadi's logic. Like Abadi, we are basing our discussion on SDSI 1.1 [RL96]. 

2.1 SDSI's Name Spaces 

SDSI has local names and a set of reserved names, which we refer to as global names. Both 
are associated with sets of principals, but the set of principals associated with a local name 

depends on the principal owning the local name space, while the set of principals associated 
with a global name does not. We denote the set of global names by G with generic element g, 
the set of local names by A'^ with generic element n, and the set of keys (principals) by K with 
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generic element k. We assume that all these sets are pairwise disjoint and that K is nonempty. 

Global identifiers are either keys or global names. ^ 

The elements of U G U A'' are said to be simple names. We form principal expressions 
from simple names inductively. Simple names are principal expressions, and if p and q are 
principal expressions, then so is (p's q). Abadi's semantics (and ours) makes the latter operation 
associative, in that ((p's q)'s r) and (p's (q's r)) have the same meaning. In light of this, we 
can ignore parenthesization when writing such expressions. The expression pi's . . .p^,^_l's 
is written in SDSI as (ref :pi, . . . , pm)-^ We remark for future reference that SDSI has a special 
global name denoted "DNS!!", which represents the root of the DNS (Internet mail) hierarchy; 
this allows us to express an email address such as bobOfudge . com as DNS!!'s corn's fudge's bob. 

SDSI allows a principal to issue certificates of the form n i — > p, signed with its key. If 
k issues such a certificate, it has the effect of binding local name n in k's name space to the 
principals denoted by the principal expression p.^ Notice that only principals issue certificates, 
and that these certificates bind a local name (not a global name) to some set of principals. In 
general, a local name may be bound to a unique principal, no principal, or many principals. 
SDSI allows a principal k to issue certificates n i — > pi and n i — > p2. This has the eff'ect of 
binding n to (at least) the principals denoted by pi and p2. 

SDSI provides a name-resolution algorithm for computing the set of principals bound to a 
name. The core of the algorithm consists of a nondetcrministic procedure REF2. For ease of 
exposition, we take REF2 to have four arguments: a principal k, a function c that associates 
with each principal k' a set of bindings (intuitively, ones that correspond to certificates signed 
by k') , a function (3 which associates with each global name g a set of principals (intuitively, the 
ones bound to g), and a principal expression p. REF2(k,/3,c,p) returns the principal(s) bound 
to p in k's name space, given the bindings f3 and the certificates c. REF2 is nondetcrministic; 
the set of possible outputs of REF2 is taken to be the set of principals bound to p in k's name 
space. REF2 is described in Figure 1.^ 

2.2 Abadi's Logic: Syntax, Semantics, and Axiomatization 

The formulas in Abadi's logic are formed by starting with a set of primitive propositions and 
formulas of the form p i — ^ p', where p and p' are principal expressions. More complicated for- 

^Note that Abadi uses G for global identifier; thus, his G corresponds to our GU K. 

^SDSI allows m to be 0, taking (ref : ) to be the current principal. In Section 6, we follow Abadi by considering 
an expression Self that represents (ref:). 

''SDSI also allows other forms of binding that we do not consider here. Our notation is also a simplification 
of that used by SDSI. 

®Our version of REF2 is similar, although not identical, to Abadi's. Like Abadi's, it is simpler than that in 
[RL96], in that we do not deal with a number of issues, such as quoting or encrypted objects, dealt with by 
SDSI. Our presentation of REF2 differs from Abadi's mainly in its treatment of global names. Abadi assumes 
that REF2 takes only two arguments, o and p, where o is either a global identifier (i.e., an element of GU K) or 
current principal, denoted cp. Although he does not write c explicitly as an argument, he does assume that 
there is a set he denotes assumptions(o) that includes bindings corresponding to signed certificates. In addition, 
it includes bindings for cp. We do not have a distinguished current principal; rather, if the current principal is k, 
then for uniformity we assume that all of the current principal's bindings are also described by the bindings in 
c(k). More significantly, if g is a global name, then Abadi's REF2(o,g) would return g, while ours would return 
some principal k to which g is bound in /3. Our approach seems more consistent with the SDSI presentation of 
REF2, but this difference is minor, and all of Abadi's results hold for our presentation of REF2. 
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REF2(k,/3,c,p) 

if p G X then return(p) 
else if p G G 

then if /3(p) = then fail 

else return(k') for some k' G /3(p) 
else if p is a local name n in A'^ 
then if c(k) = then fail 

else for some n i — > q G c(k) return(REF2(k,/3,c,q)) 
else if p is of the form q's r 

then return(REF2(REF2(k,/3,c,q),/3,c,r)) 



Figure 1: Procedure REF2 

mulas are formed by closing off under conjunction, negation, and formulas of the form p says (f), 
where ^ is a formula. 

Abadi views p i — > p' as meaning that p is "bound to" p'. He considers two possible inter- 
pretations of "bound to". The first is equality; however, he rejects this as being inappropriate. 
(In particular, it does not satisfy some of his axioms.) The second is that p i — > p' means p' 
"speaks-for" p, in the sense discussed in [ABLP93, LABW92]. Roughly speaking, this says 
that any message certified by p' should be viewed as also having been certified by p. While 
the "speaking- for" interpretation is the one favored by Abadi, he does not commit to it. Note 
that under Abadi's "speaking-for" interpretation, it makes sense to write p i — > p' for arbitrary 
principal expressions p and p'. However, SDSI allows only local (simple) names to be bound 
to principal expressions. We shall make a similar restriction in our logic (and, indeed, under 
our semantic interpretation of binding, it would not make sense to allow an arbitrary principal 
expression to be bound to another one.) 

The "speaks-for" interpretation intertwines issues of delegation with those of naming. As we 
suggested in the introduction, we believe these issues should be separated. We shall give i — > a 
different interpretation that we believe is simpler and more in the spirit of binding. We believe 
that the "speaks-for" relation of [ABLP93, LABW92] should have quite different semantics 
than that of binding names to principals. (We hope to return to this issue in future work.) 

Abadi interprets p says cj) as "the principal denoted by p makes a statement that implies (j)" . 
In the case where p is a key (i.e., principal) k, this could mean that k signs a statement saying 
(j). Under our more restrictive interpretation, this is exactly how we interpret our analogue to 

says. 

In any case, note that Abadi translates SDSI's local name n being bound to p as n i — > p 
and captures k signing a certificate saying n is bound to p by the formula k says n i — > p. For 
future reference, it is worth noting that, in order to capture the binding of names to principals, 

no use is made of primitive propositions. 

Abadi interprets formulas in his logic with respect to a tuple (W, a, p, /u). The function a 
maps global identifiers (G U K) to subsets of W. The function p maps N xW to subsets of W. 
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Finally, ^ associates with each world (principal) k and primitive proposition p a truth value 

/x(p,k). 

Abadi does not provide any intuition for his semantics, but suggests that W should be 
thought of as a set of possible worlds, as in modal logic. However, he also suggests [private 
communication, 1999] that his semantics was motivated by the work of Grove and Halpern 
[GH93], in which the corresponding set contains pairs consisting of a world and an agent. Some 
of Abadi's definitions make more intuitive sense if we think of W as a set of agents, while others 
make more sense if we think of W as a set of worlds. We elaborate on this point below. 

Given k G W and p G P, Abadi defines [p]k inductively, as follows: 

• [g]k = a(g), forgGGUK 

• [n]k = p(n,k) fornGiV 

• [pi'sp2lk = U{[p2lk' :k'G [piM 

Here we have used a notation corresponding to the interpretation of the "worlds" in W as 
agents. Using this interpretation we may think of |p]k as the set of principals bound to principal 
expression p according to k. The clause for [pi's p2|k then says that if k' is one of the principals 
referred to by k as pi, then k uses pi's p2 to refer to any principal referred to by k' as p2. 

Abadi also defines what it means for a formula ^ to be true at world k G W, written k |= ^, 
inductively, by 

• k 1= p iff |Lt(p, k) = true, if p is a primitive proposition 

• k^(/)AV'ifFk^(/)andk^V 

• k t= iff k ^ (/) 

. khp^p'iff [plkC[p'lk 

• k 1= p says ^ iff k' |= for all k' G |p]k- 

These clauses defining |= are quite intuitive if one interprets W to be a set of worlds and 
considers |p]k to be the set of worlds consistent with what principal p has said at world k. In 
particular, under this interpretation, the clause for says can be read as stating that p says (f) 
if (p holds in all worlds consistent with what p has said. The clause for i — > also has quite a 
plausible reading under the ""speaks-for"' interpretation of this construct: it states that p' speaks 
for p if all worlds consistent with what p has said are consistent with what p' has said, i.e., p is 
constrained to speak consistently with what p' has said. However, it seems rather difficult to 
extend this intuitive reading to encompass the inductive definition of |p]k- In particular, it is 
far from clear to us what intuitive understanding to assign to the clause for |pi's p2|k on this 
reading. 

On the other hand, note that if we interpret the worlds as agents, then we can think of 
k 1= (/) as saying that (j) is true when local names are interpreted according to agent k. But this 
reading of the clauses, when combined with the intuitive reading of |[pjk as the set of principals 
that k refers to using p, also has its difficulties. Intuitively, when n is bound to p in principal 
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Reflexivity: 

Transitivity: 

Left Monotonicity: 

Globality: 

Associativity: 



pi — 

(p ^ q) ^ ((q ^ r) ^ (p ^ r)) 
(P ^ q) ^ ((p's r) ^ (q's r)) 
(p's g) I — > g if g is a global identifier 

((p's q)'s r) I > (p's (q's r)) 

(p's (q's r)) I y ((p's q)'s r) 

(p says (ni — ^ r) ^ ((p's n) i — > (p's r)) 



Linking: 



if n is a local name 



Speaking-for: 



(pi — ^ q) ^ ((q says (p) ^ p says (p) 



Figure 2: Abadi's axioms for linked local name spaces 



k's local name space, the principals that k refers to using p should be a subset of the principals 
that k refers to using n. Abadi interprets n being bound to p as n i — ^ p; this holds with respect 
to principal k when |p]k is a superset of |n]k. This is precisely the opposite of what we would 
expect. Thus, neither the interpretation of W as a set of worlds nor the interpretation of W as 
a set of agents gives a fully satisfactory justification for Abadi's semantics. As we shall see, in 
our semantics, the interpretation of a principal expression p according to an agent will be a set 
of agents, but we use the reverse of Abadi's containment to represent binding. 

Abadi provides an axiom system for his logic, which has three components: 

1. The standard axioms and rules of prepositional logic. 

2. The standard axiom and rule for modal logic for the says operator: 



3. New axioms dealing with linked local name spaces, shown in Figure 2. 
He shows that this axiomatization is sound, but conjectures it is not complete. 

2.3 Name Resolution in Abadi's Logic 

Abadi proves a number of interesting results relating his logic to SDSL First, he shows that in 
a precise sense his logic can simulate REF2. He provides a collection of name-resolution rules 
NR and proves the following results:^ 

Proposition 2.1: Given a collection of c of bindings corresponding to signed certificates and a 
set 13 of bindings of global names to keys, let E be the conjunction of the formulas k says n i — > q 

®The results stated here are a variant of those stated in Abadi's paper, since our version of REF2 differs 
slightly from his. Nevertheless, the proofs of the results are essentially identical. 



(p says {(f) ^ tp)) ^ ((p says (p) =^ (p says ip)) 



p says (p 
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for each certificate n i — > q G c(k) and the formulas g i — > k for each k G /3(g)- T/ien =^ 
((k's p) I — > ki) is provable with the name resolution rules NR if and only i/ REF2(k, /3, c, p) 
yields ki . 

Proposition 2.2: T/ie nam,e resolution rules are sound with respect to the logic. That is, given 
E as in Proposition 2. 1 and any principal expression p, if E ^ (p i — >■ k) is provable using NR 
then E ^ {-p i — > k) is also provable in the logic. 

These results show that any bindings of names to principals that can be deduced using 
REF2 can also be deduced using Abadi's logic. However, Abadi shows that his logic is actually 
more powerful than REF2, by giving two examples of conclusions that can be deduced from his 
logic but not using REF2: 

Example 2.3: Using the Globality, Associativity, and Transitivity axioms, if k and k' are 
keys, we immediately get k's (Lampson's k') i — > k'. This result does not follow from the REF2 
algorithm. That is, REF2(k, /3, c, Lampson's k') does not necessarily yield k' for arbitrary c and 
(3 (in particular, it will not do so if Lampson is not bound to anything in c). I 

Example 2.4: Suppose c consists of the four certificates that correspond to the following 
formulas: k says (Lampson i — > ki), k says (Lampson i — > k2), ki says (Ron i — > Rivest), and 
k2 says (Rivest i — > ks) (where k, ki, k2, and k3 are keys). Using the Speaking-for axiom, it 
is not hard to show that we can conclude that k's (Lampson's Ron) i — > ks. It is easy to show 
that REF2 cannot reach this conclusion; that is, REF2(k, /3, c, Lampson' s Ron) does not yield 
ks for any /?.^ | 

In reference to Example 2.3, Abadi [Aba98] says that "it is not clear whether [these con- 
clusions] are harmful, and they might in fact be useful". In general, he views it as a feature 
of his logic that it allows reasoning about names without knowing their bindings [private com- 
munication, 1999]. While we agree that, in general, reasoning about names without knowing 
their bindings is a powerful feature, we believe it is important to make clear exactly which 
conclusions arc desirable and which are not. This is what a good semantics can provide. Under 
our semantics, neither of these two conclusions are valid. In fact, our logic draws precisely 
the same conclusions as REF2. Of course, the conclusions of Examples 2.3 and 2.4 are valid 
under Abadi's semantics but, as we observed earlier, Abadi's semantics is not really meant to 
be used as a guide to which conclusions are acceptable (and, indeed, as we shall see, it validates 
a number of conclusions that do not seem so acceptable). 

Abadi also considers the effect of extending his axiom system. In particular, he considers 
adding the following two axioms: 

• the converse of Globality: g i — > (p's g) 

'^SPKI certificates and SDSI certificates have a slightly different syntactic form. A SPKI certificate issued by k 
to bind n to p could be expressed in the logic as k says (k's n i — > p). Abadi has remarked [private communication 
1999], that if wo rewrite the example using assertions in this form, the corresponding conclusion of this example 
would not follow in his logic. We have followed the SDSI format for certificates in this paper, but note that after 
some minor changes to the definitions, all the results in Sections 3-5 would still apply to SPKI certificates. 
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• a generalization of Linking: (p says (pi i — > P2)) ^ (p's pi 1 — ^ p's P2), for an arbitrary- 
principal pi (instead of a local name). 

The generalization of Linking is in fact sound under Abadi's semantics. The converse of Glob- 
ality is not, but only because we may have |p]k = 0. Note that |p]k = iff k |= p says false; 
thus, the following variant of the converse of Globability is sound under Abadi's semantics: 
-•(p says false) ^ (g 1 — (p's g)). 

This is quite relevant to our purposes because Abadi shows that if we added the two axioms 
above to his system, then from k says (DNS!! 1 — > k), we can conclude DNS!! 1 — > k. Thus, 
just from k saying that DNS!! is bound to k, it follows that DNS!! is indeed bound to k. This is 
particularly disconcerting under Abadi's "speaks-for" interpretation, where DNS!! 1 — > k becomes 
"k speaks for DNS ! ! " . We certainly do not want an arbitrary principal to speak for the name 
server! 

Abadi proves a result showing that such conclusions are not derivable from hypotheses of a 
certain type in his logic (which does not have these two axioms). 

Proposition 2.5: [Aba98] Let k and k' be distinct global names; let cp be a formula of the form 
(k' says (ni 1 — > pi))A. . .A(k' says (n^. 1 — > p^)). where ni, . . . ,nfc are local names andpi, . . . ,Pfc 
are principal expressions; let ijj be a formula of the form (k says V'l) A . . . A (k says ipm)> where 
tpi, . . . , iprn O'f^ arbitrary formulas. Then ^ A (k' 1 — > k) is not valid.^ 

While Proposition 2.5 provides some assurance that undesirable formulas are not derivable 
in the logic, it does not provide much. Indeed, if we allow the ^ to include the formula -i(k' 
says false), then the result no longer holds. In fact, it follows from our earlier discussion that 
the formula 

(k says (DNS!! 1 — > k)) A -i(k says false) (DNS!! 1 — k) 

is valid. Moreover, it does not seem so unreasonable to allow conjuncts such as -i(k says false) 
as part of ^. We certainly want to be able to use the logic to be able to say that if a principal's 
statements are not blatantly inconsistent, then certain conclusions follow. 

3 The Logic of Local Name Containment 

In this section we propose the Logic of Local Name Containment (henceforth LLNC) as an 
alternative to Abadi's logic. LLNC interprets local names as sets of principals and interprets 
SDSI certificates as stating containment relationships between these sets. We define the syntax 
in Section 3.1. In Section 3.2 we describe two distinct semantics for the logic. Section 3.3 
presents a complete axiomatization. 

3.1 Syntax 

LLNC has syntactic elements that are closely related to the syntactic elements of Abadi's logic. 
However, our notation differs slightly from Abadi's to help emphasize some of the differences 
in intuition. 

* Abadi's result actually says "(f> Aip ^ (k' ' — > k) is not derivable" ; since his axiomatization is sound, but not 
necessarily complete, the claim that it is not valid is stronger, and that is what Abadi's proof shows. 
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Again, we start with keys K, global names G, and local names A'^, and form principal 
expressions from them. The formulas of our language are formed as follows: 

• If p and q are principal expressions then p i — > q is a formula. 

• If k G -fT and (/) is a formula then k cert ^ is a formula.^ 

• If 01 and (p2 are formulas, then so are -i^i and 0i A02- As usual, 0i V02 is an abbreviation 
for -'(-'1^1 A -11^2) and 0i =^ (j)2 is an abbreviation for V ct)2- 

We write C for the set of all formulas. (For simplicity, we omit primitive propositions, although 
we could easily add them. They play no role in Abadi's account of SDSI names, nor will they 
in ours.) 

We read the expression p 1 — ^ q as "p contains q" ; we intend for it to capture the fact that 
all the keys bound to q are also bound to p. However, our intuitions about the meaning of 
p I — > q are quite different from Abadi's. In particular, we do not wish to interpret p 1 — > q as "q 
speaks for p." We consider the "speaks for" relation as being about rights and delegation, which 
requires a more sophisticated semantics than we wish to consider here. (See [HvdMS99] for a 
logic for reasoning about rights and delegation.) The expression p 1 — > q should be understood 
as simply asserting a containment relationship between the denotations of principal expressions 
p and q; this is exactly what our semantics will enforce. 

Wc read the expression k cert (p as "k has certified that 0." This corresponds roughly to 
Abadi's k says <p. There are two significant differences, however. For one thing, we do not allow 
arbritrary principal expressions on the left-hand side; only keys may certify a formula (p. For 
another, our interpretation of cert is more restrictive than Abadi's says, in that cert is treated 
quite syntactically; it refers to an actual certificate issued by a principal, while says considers 
logical consequences of such certificates. As a consequence, whereas says satisfies standard 
properties of modal operators (e.g., closure under logical consequence), cert does not. 

3.2 Semantics 

Our semantics is designed to model the SDSI principle that principals bind names in their local 
name space to values by issuing certificates. The interpretation of a local name depends on 
the principal and the certificates that have been issued. As the principal may rely on others 
for its interpretation of local names, the certificates issued by other principals also play a role. 
The interpretation of global names and keys will be independent of both the principal and the 
certificates that have been issued. 

A world is a pair w = (/3, c), where [3 : G ^ ^(^) and c : K ^ ^{^) (where V{X) denotes 
the set of subsets of X) and UkGA'c(k) is finite. Intuitively, the function j3 interprets global (or 
fixed) names as sets of keys. The intended interpretation of the function c is that it associates 

®For our account of SDSI naming, it would suffice to restrict this clause to formulas of the form k cert n 1 — > p 
whore n £ N and p G P: our semantics will treat more general certificates as irrelevant to the meaning of principal 
expressions. We allow the more general form for purposes of discussion and because we envisage generalizations 
of the logic in which other types of certificates will be required. 
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with every key k the set of formulas c(k) that have been certified using this key. That is, if 
4> € c(k) then, intuitively, a certificate asserting (j) has been signed using k.^'' 

Formulas of the logic will be interpreted in a world with respect to a key. Intuitively, this 
key indicates the principal from whose perspective we interpret principal expressions. 

To interpret local names, we introduce an additional semantic construct. A local name 
assignment will be a function I : K x N ^ ^(-^) associating each key and local name with a 
set of keys. Intuitively, /(k,n) is the set of keys represented by principal k's local name n. We 
write LNA for the set of all local name assignments. 

Given a world w = (/?, c), a local name assignment /, and a key k, we may assign to each 
principal expression p an interpretation |pl«,,i,k, a set of keys. The definition is much like that 
of Abadi's |[p]k: 

• Ik%,i,k = {k'}, ifk'GiCisakey, 

• [gl«),i,k = /?(g), if g € G is a global name, 

• M«),i,k = ^^5^)5 if n G AT is a local name, 

• [p's ql«,,;,k = U{[ql«;,;,k' I k' e [pL,;,k}, for principal expressions p,q G P. 

Our intuitions for |[pl«,,/,k are essentially the same as for the "agent-based" reading of Abadi's 
logic, discussed above. That is, [p]ui,«,k is the set of keys associated with the expression p in k's 
local name space, when local names are interpreted according to With respect to principal 
k, the expression p's q denotes the set of principals that principals referred to by k as p refer 
to as q. 

We now define what it means for a formula cp to be true at a world w = (/3, c) with respect to 
a local name assignment I and key k, written w,l,'k\= (f), by induction on the structure of (f)}^ 

• w, k ^ p I — q if lplw,l,ii 2 [q]«;,/,k 

• w,l,'k.\='k' cert (f) if (f) E c(k') 

• w,l,'k \= -1^1 if not w,l,'k\= (f)i 

• w,l,'k \= 4>i A 4>2 if w, ^, k \= 4>i and if, Z, k j= (p2- 

Note that the semantics of cert reinforces its syntactic nature. To determine if k' cert (j) is 
true at (w;, i,k), we check whether a certificate has been issued in world w by k' certifying ^. 
Moreover, as we shall see, while we allow any formula to be certified by k, the only formulas 
whose certification has a nontrivial semantic impact are those of the form n 1 — ^ p, where n is 
a local name. We return to this issue below. 

^'^We make the simplifying assumption that certificates do not have expiration dates. It is not difficult to 
extend the logic to take into account certificate expiration; see [HvdM99]. The assumption that U]5;g^c(k) is 
finite is meant to enforce the intuition that only finitely many certificates are issued. None of our later results 
depend on this assumption, but it seems reasonable given the intended application of the logic. 

^^Note that our semantics is thus in the spirit of that of Grove and Halpern [GH93], in that the truth of a 
formula depends on both an agent and some features of the world (captured by w and I). 
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We do not consider all pairs w,l as being appropriate on the left-hand side of ^. li w = 
c), we expect the local name assignment I to respect the certificates that have been issued 
in c. That is, if c(k) includes the binding n i — > p, we would expect that ^(k,n) would include 
all the keys bound to p in k's name space. The question is whether there can be other keys 
bound to n in k's name space beyond those forced by the certificates. How we answer this 
question depends on our intuitions for c. For example, we could view c as the set of certificates 
received by one of the principals. This would be particularly appropriate if we wanted to reason 
about the knowledge and belief of the agents, an extension we plan to explore in future work. 
With this viewpoint, we could view / as consisting of all the bindings, including ones that the 
principal does not know about. Thus, / would at least have all the bindings forced by c, but 
perhaps others as well. Alternatively, we could view c as consisting of all the certificates that 
have been issued. In this case, we would want I to be in some sense minimal, and have no 
bindings beyond those forced by the certificates in c. We now present two different semantics, 
which reflect each of these two intuitions. We then show that, as far as validity is concerned, 
the semantics are equivalent; that is, they have the same proof theory. 

A local name assignment / is consistent with a world w = (/?, c) if, for all keys k, local 
names n, and principal expressions p, if the formula n i — ^ p is in c(k), then lu, Z, k |= n i — ^ p. 
Intuitively, assignments that are not consistent with a world provide an inappropriate basis for 
the interpretation of local names, since the certificates issued by principals are not necessarily 
reflected in their local bindings. We obtain our first semantics, called the open semantics, by 
restricting to consistent local name assignments. We write w,l,'k \=o if w, Z,k |= and I 
is consistent with w. The formula (p is o-satisfiable if there exists a triple Wjljk such that 
t(;,Z,k and cj) is o-valid, denoted |=o (j), if there does not exist a triple w,l,'k such that 
w,l,'k \=o -'(p. 

Although our S3mtax allows k to certify arbitrary formulas, it is easy to see that, according 
to the semantics just introduced (as well as the one we are about to introduce), only the 
certification of formulas of the form n i — > p has any impact on consistency; all other formulas 
certified by k are ignored. There is a good reason for this restriction. We are implicitly assuming 
that when k' certifies n i — y p, that very act causes all the keys bound to p to also be bound 
to n in k's name space. Thus, if n i — > p G c(k), then we want n i — > p to be true in {w,l,'k). 
But if k certifies a formula like ki's n i — > where ki 7^ k, then we cannot conclude that this 
formula is true in (wjlj'k.) unless we are prepared to make additional assumptions about k's 
truthfulness. We feel that if such assumptions are to be made, then they should be modeled 
explicitly in the logic, not hidden in the semantics. 

It does seem reasonable to extend the notion of I being consistent with w to require that if 
k certifies a formula which is a Boolean combination of formulas of the form n 1 — > p then 
{w,l,'k) \= ip. However, once we allow more general Boolean combinations (in particular, once 
we allow disjunctions), there will be problems making sense out of the intuition of our next 
semantics, that there are "no bindings beyond those forced by the certificates in c" . We consider 
this issue next. 

According to the open semantics, it is possible for a local name n of principal ki to be 
bound to a key k2 even when no certificate concerning n has been issued. Arguably, this is 
not in accordance with the intentions of SDSL To better capture these intentions, we define a 
second semantics, that restricts the name bindings to those forced by the certificates issued. 
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To do so, we first establish that the open semantics satisfies a kind of "minimal model" 
result. Define the ordering < on the space LNA of local name assignments by h < I2 if 
ii(k, n) C i2(k, n) for all k G i^T and n € N. It is readily seen that LNA is given the structure of 
a complete lattice [Bir67] by this relation. Say that a local name assignment I is minimal in a 
set of local name assignments L if Z G -L and / < Z' for all Z' G L. 

Theorem 3.1: Given a world w, there exists a unique local name assignment 1^ minimal in the 
set of all local name assignments consistent with w. Moreover, if p is a principal expression and 
ki and k2 are keys, then w,lw,^i \=o P ' — ^ ^2 iff, for all local name assignments I consistent 
with w, we have w, I, ki |=o p 1 — > k2. 

The proof of this result (which, like that of all the technical results in this paper, is deferred to 
the appendix) uses standard techniques from the theory of fixed points. 

We now define our second semantics, called the closed semantics. It attempts to capture the 
intuition that the only bindings in I should be those required by the certificates in c, using the 
minimal assignment promised by Theorem 3.1. We write w,'k.\=c (j) if w, Z^,k |= (f). We say that 
(f) is c-satisfiable if there exists a world w and key k such that w,'k.\=c (p and that (f> is c-valid, 
denoted |=c (f), if u;,k |=c <^ for all worlds w and principals k. Note that by Theorem 3.1, the 
assignment 1^ is consistent with w, so c-satisfiability implies o-satisfiability. Thus, if |=o (f) then 
|=c (p. As we shall soon see (Theorem 3.5), somewhat surprisingly, the converse holds as well. 

3.3 A Complete Axiomatization 

We start this section by presenting a sound and complete axiomatization for LLNC with respect 
to the open semantics. We then prove that the open and closed semantics are characterized by 
the same valid formulas, so that the axiomatization is also sound and complete with respect to 
the closed semantics. 

The axiomatization depends in part on whether the set K of keys is finite or infinite. Figure 3 
describes the axiom system AXj„j for the case where K is infinite. 

It is interesting to compare the axioms in AXj„j to Abadi's axioms. Although we interpret 
I — > as superset and he interprets it as subset, Refiexivity, Transitivity, Left-Monotonicity, and 
Associativity, hold in both cases, for essentially the same reasons. The switch from subset to 
superset means that the Converse of Globality holds in our case. Globality docs not hold in 
general because the denotation of p's g may be empty if the denotation of p is empty (as we 
observed, this is also why the Converse of Globality does not hold in general for Abadi). In fact, 
for our logic, p's g 1 — > g holds whenever the interpretation of p is nonempty. We use p's k 1 — > k 
as a canonical way of denoting that the interpretation of p is nonempty. This explains the form 
of the Globality axiom. Since the interpretation of a key is always nonempty, we also get Key 
Globality. 

Key Linking is our analogue of Abadi's Linking axiom. Of course, we use cert whereas 
Abadi uses says; in addition, only keys can certify formulas for us. While this axiom shows 
that there are some similarities between cert and says, there are some significant differences. 
We have no analogue of Abadi's Speaking-for axiom and, unlike says, cert does not satisfy the 
standard axiom and rule of modal logic: (k cert ((^ ^)) A (k cert (j)) does not imply k cert tp 
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Prepositional Logic: 

Reflexivity: 

Transitivity: 

Left Monotonicity: 

Associativity: 

Key Globality: 

Globality: 

Converse of Globality: 
Key Linking: 

Nonemptiness: 



Key Distinctness: 
Modus Ponens: 



All instances of prepositional tautologies 
pi — >p 

(P ^ q) ^ ((q ^ r) ^ (p r)) 
(P ^ q) ^ ((P's r) ^ (q's r)) 

((p's q)'s r) I > (p's (q's r)) 

(p's (q's r)) I > ((p's q)'s r) 

(k's g) I — > g if k G and g e G U K 

(p's k I — ^ k) ^ (p's gi — >g)ifkGif, geGUK 

g ^ (p's g) if g e K U G 

(k cert (ni — r)) ^ ((k's n) i — > (k's r)) 

if n is a local name 

(a) p I — > ki =^ p's k I — > k 

(b) -(p ^ q) ^ q's k ^ k 

(c) p's q I — > ki =^ p's k I — > k 

(d) (p's k I — > k A k' I — ^ p) ^ (p I — ^ k') 
-i(ki I — > k2) if ki and k2 are distinct keys 
Prom (p and (p ^ infer tl^. 



Figure 3: The axiom system AXj„j 

and k cert cp is not valid even if 4> is valid. Interestingly, Abadi does not use these properties of 
Speaking-for in proving that his name resolution rules NR, used to capture REF2, are sound. 
As a result, (with very minor changes) we can show that the name resolution rules are also 
sound for LLNC, and hence we can prove analogues of Propositions 2.1 and 2.2. However, we 
can actually prove a much stronger result: whereas Abadi's logic is able to draw conclusions 
about bindings that do not follow from REF2, LLNC captures REF2 exactly (see Theorem 4.1). 

AXj„j has two axioms that do not appear in Abadi's axiomatization: Key Distinctness and 
Nonemptiness. Key Distinctness just captures the fact that we interpret keys as themselves. 
The first three parts of Nonemptiness capture various ways that an expression can be seen to 
be nonempty. For example, part (a) says that if p is bound to (i.e., is a superset of) a key, then 
its interpretation must be nonempty and part (b) says that if p is not a superset of q, then q 
must be nonempty. Part (d) of Nonemptiness says that if p is nonempty and k' is bound to p, 
then p is bound to k', i.e., p and k' have exactly the same interpretation. 

If K is finite we need to add two further axioms to AXj„j. Let AXjj„ consist of all the 
axioms and rule in AXj„j together with: 

Witnesses: -i(p i — > q) Vke/f (~'(p ' — > k) A (q i — > k)) 

(p's q) ^ ki ^ Vk6K((p ^ k) A (k's q ^ ki)) 

Current Principal: Vkeft'(nk i — > Ik k's nk i — > Ik) 

where nk G A'" and K for each k G iC. 

The two axioms that make up Witnesses essentially capture our interpretation of i — > as 
containment. They tell us that facts about containment of principal expressions can be reduced 
to facts about keys. For example, the first one says that if p does not contain q, then there is 
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a key bound to q that is not bound to p. Current Principal captures the fact that some key in 
K must be the current principal; if k is the current principal, then for all local names n and 
keys k', n i — > k' <^ k's n i — > k' holds. (This is actually true not just for local names, but for 
all principal expressions; it suffices to state the axiom just for local names.) 

While the properties captured by these two axioms continue to hold even if K is infinite, 

they can no longer be expressed in the logic, since we cannot take a disjunction over all the 
elements in K. Interestingly, we can drop Nonemptiness and Globality as axioms in AXjj„. 
These properties already follow from the other properties in the presence of Witnesses. 

As the following result shows, these axiom systems completely characterize validity in the 
logic with respect to the open semantics. 

Theorem 3.2: AXinf (resp., AXfin) is a sound and complete axiomatization of LLNC with 
respect to the open semantics if K is infinite (resp., K is finite). 

In the course of proving Theorem 3.2, we also prove a "finite model" result, which we cull 
out here. Let |0|, the length of (j), be the total number of symbols appearing in 0. This result 
holds both when K is finite and when K is infinite. 

Proposition 3.3: Let K^f, be the keys that appear in cj) and let C<^(k) consist of all bindings 

n I — > p such that k cert n i — > p is a subformula of (j). If (j) is satisfiable with respect to the open 
semantics, then for all sets K' of keys such that C K' and \K'\ > min(|i<'|,2 • \(t)\'^), there 
is a world w = {(5, c), local name assignment I, and principal k G if' such that w, I, k |=o and 
(a) Z(k',n) C K' for all e K and n e N, (b) Z(k',n) = i/k' ^ K' , (c) ^{g) C K' for all 
g& G, (d) = i/g does not occur in 4>, and (e) c(k) C C<^(k) for all keys k. 

Corollary 3.4: The problem of deciding if a formula (p G LLNC is satisfiable with respect to 
the open semantics is NP-complete (whether K is finite or infinite). 

Proof: The lower bound is immediate from the fact that we can trivially embed satisfiability 
for propositional logic into satisfiability for LLNC. For the upper bound, given 0, choose K' 
such that \K'\ = min(|ii:|,2 • and K' D K^. Then guess u;,Z,k as in Proposition 3.3 and 
check whether w,l,'k. \=o (j). Proposition 3.3 says that the guess is only polynomial in it is 
clear that checking whether w,l,'k |=o (p '^^^ ^-l^o be done in time polynomial in (j). Note that 
for 1^1 < \K\ (which is likely to include all cases of practical interest, given that K will typically 
be a very large set), the polynomial does not depend on \K\. | 

As we suggested earlier, the closed semantics and the open semantics are characterized by 
exactly the same axioms. 

Theorem 3.5: The same formulas are c-valid and o-valid; i.e., for all formulas (f), we have 
K (p iff \=c <t>- 

We remark that this result is sensitive to the language under consideration. It may no 
longer hold if we move to a more expressive language. 
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Corollary 3.6: AXinf (resp., AXfin) is a sound and cow,plete axiomatization of LLNC with 
respect to the closed semantics when K is infinite (rep., finite). 

Corollary 3.7: The problem of deciding if a formula (j) G LLNC is satisfiable with respect to 
the closed semantics is NP-complete (whether K is finite or infinite). 

Let us now return to the contentious axioms discussed by Abadi. Converse of Globality is 
valid in LLNC, as we observed earlier. The generalization of Linking considered by Abadi, 
restricted to be syntactically well formed, amounts to 

(k ceH (pi I — > P2)) ^ (k's pi 1 — > k's P2). 

In general, this is not valid, since our semantics ignores certificates stating pi 1 — > p2 when pi is 
not a local name. Thus, we avoid the "unreasonable" conclusions that can be drawn from these 
axioms. In particular, it does not follow in our logic that (k cert (DNS!! 1 — > k)) =^ DNS!! 1 — > k. 
However, the reason it does not follow in LLNC is quite different from the reason it does not 
follow in Abadi's logic: since DNS!! is a global name, a certificate such as k cert (DNS!! 1 — > k) 
has no impact on the interpretation of global names. This captures the intuition that k should 
not be trusted when making assertions about bindings not under its control. If we were willing 
to trust k on everything, then concluding that k is bound to DNS!! after k certifies that it is 
would not seem so unreasonable. 

The following formula is also not valid in LLNC: 

(^(k cert false) A (k cert (DNS!! 1 — > k))) ^ DNS!! 1 — > k. 

(This formula corresponds to the one that we noted earlier is valid in Abadi's logic.) Failure 
to issue a certificate stating false has no more impact on global names than does any other 
behavior of k. Nor would a precondition asserting that the interpretation of k is non-empty 
validate the formula, since this is true in every world. We can in fact prove the following 
generalization of Abadi's Proposition 2.5, which provides a stronger statement of the safety of 
our logic than Abadi's result. 

Proposition 3.8 : Let T be any c-satisfiable boolean combination of formulas of the form 
k cert (j), and let A he any boolean comMnation of formulas of the form p 1 — > q where neither 
p nor q contains a local name. Then |=c L A iff \=c A.. 

Informally, Proposition 3.8 says that facts about global names are completely independent of 
facts about certificates; issuing certificates can have no impact on the global name assignment. 
As we observed earlier, the analogous result does not hold for Abadi's logic. 

4 Name Resolution in LLNC 

In this section, we show that LLNC captures REF2 exactly. Indeed, we show that it does so 
for several distinct semantic interpretations. Define the order > on worlds by (/?', d) > c) if 

1- /3'(g) 2 /3(g) for all global names g, and 
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2. c'(k) D c(k) for all keys k. 



That is, w' > w when it;' contains more certificates than w and the bindings to global names 
in w are a subset of those in w'. If £^ is a set of formulas and ^ is a formula, we write E \=o (f) 

if for all worlds w, local name assigments I consistent with w and all keys k, if w, ^,k "0 for 
all ip in E then wjj'k \=o (p. Similarly, E \=o cp if for all worlds w and all keys k, if w,k |=c V' 
for all ip in E then w, k |=c 0. 

Theorem 4.1: Suppose ki,k2 are principals, w = {(3,c) is a world, and p is a principal 
expression. Let Eyj be the set of all formulas g i — > k for all global names g and keys k G /3(g) 
and the formulas k cert (p for all keys k and formulas (p G c(k) . The following are equivalent: 

1. ki GREF2(k2,/3,c,p), 

2. ■w;,k2 |=c p I — > ki, 

3. w' , k2 |=c p I — > ki for all worlds w' > w, 

4. Eyj \=c k2's p I — > ki, 

5. Ey, 1=0 k2's p I — > ki. 



This theorem gives a number of perspectives on name resolution in LLNC. The equivalence 
between (1) and (2) in this theorem tells us that REF2 is sound and complete with respect to 
key binding, according to the semantics of LLNC. That is, REF2(k, /?, c, p) yields k' iff p 1 — > k' 
is forced to be true by the bindings of global names in [3 and the certificates in c. Thus, viewed 
as a specification of the meaning of SDSI names, the closed semantics and REF2 are equivalent. 

Informally, we have viewed REF2 as a procedure that is run by an omniscient agent with 
complete information about the interpretation of global names and the certificates that have 
been issued. It is also possible to understand REF2 as performing a computation based on the 
limited information available to a particular principal. Suppose that the world w expresses the 
limited information this principal has about the binding of global names and the certificates 
that have been issued. Suppose that w' describes the actual bindings of global names and the 
certificates that have been issued. Assuming that all of the principal's information is correct, 
then w < w' . Thus, the set of w' > w is the set of all worlds w' that are consistent with the 
information available to the principal. (We could formalize this using the Kripke semantics for 
the logic of knowledge in a distributed system [HM90].) The equivalence between (2) and (3) 
essentially shows that it doesn't matter whether we view the principal as having total or partial 
information. 

The implication from (1) to (4) in Theorem 4.1 is analogous to Abadi's soundness result. 
Proposition 2.2. Of course, the converse implication gives us completeness, which, as Abadi 
himself observed, does not hold for Abadi's logic (since it validates conclusions that do not 
follow from REF2). Interestingly, although, as we have seen, there are significant differences 
between LLNC and Abadi's logic, an examination of Abadi's soundness proof reveals that it 
does not use the Speaking-for rule, the unrestricted form of Globality, or the standard axiom 
and rule for the modal operator says, which are the main points of difference with our logic. 
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This observation says that the proof of the implication from (1) to (4) is essentially the same 
for LLNC and for Abadi's logic. 

It is instructive to understand why the formulas considered in Examples 2.3 and 2.4, which 
give conclusions in Abadi's logic beyond those derivable by REF2, are not valid in LLNC. 
It is easy to see why the formula k's (Lampson's k') i — > k' from Example 2.3 (which, by 
Associativity and Transitivity, is equivalent to (k's Lainpson)'s k' i — > k') is not valid in LLNC. 
This is simply because the antecedent of (our version of) Globality does not always hold. Now 
consider the formula in Example 2.4. The proof that this is valid in Abadi's logic uses the 
Speaking- for axiom, which does not hold for us (if we replace says by cert). To see that it 
is not valid in LLNC, consider a world w = (/?, c) containing only the certificates forced by 
the formulas (i.e., c(k) = {Lampson i — > ki,Lampson i — > k2}, c(ki) = {Ron i — > Rivest}, 
c(k2) = {Rivest i — > ^3}). Then it is easy to see that k ^ k's (Lampson's Ron) 1 — > ks, since 
[k's (Lampson's Ron)]^,/^,k = whereas [ksj^^^^^k = {ka}. 

5 Logic Programming Implementations of Name Resolution 
Queries 

The reader familiar with the theory of logic programming may have noted a close resemblance of 
the results and constructions of the preceding sections to the (now standard) fixpoint semantics 
for logic programs developed originally by van Emden and Kowalski [EK76]. Indeed, it is 
possible to translate our semantics into the framework of logic programming. In fact, wc provide 
a translation that docs not require the use of function symbols and thus produces a Datalog 
program, a restricted type of logic program that has significant computational advantages over 
unrestricted logic programs. Our translation allows us to take advantage of the significant body 
of research on the optimization of Datalog programs [U1188, U1189]. 

The idea is to translate queries to formulas in a first-order language over a vocabulary V 
which consists of a constant symbol for each clement va. K \J G U N and a ternary predicate 
symbol name. Intuitively, name(x,y,2;) says that, in the local name space of key x, the basic 
principal expression (i.e., key, global name or local name) y is bound to key z. 

Using name, for each principal expression p and pair of variables x, y, we define a first-order 
formula Ta;^y(p) that, intuitively, corresponds to the assertion "y G Ipja;," by induction on the 
structure of p: 

1. Tx,y{Y>) = name(a;, p, y) when ^ K \J G \J N . 

2- Tx,2/(q's r) = ^z{Ta:,z{pd A Tz,y{r)), where z^x,y. 

Recall that a Herbrand structure over the vocabulary F is a first-order structure that has 
as its domain the set of constant symbols K U G U N in V and interprets each constant sybol 
as itself. Such a structure may be represented as a set of tuples of the form name(x, y, z), where 
x,y, z € K UGU N. The subset relation on such sets partially orders the Herbrand structures. 

We say that a Herbrand structure M over V represents a world w = (/3, c) and local name 
assignment I if, for all x,y, z E K Li G Li N, we have name(x, y,z) E M iff either 

1. x,y,z E K and z = y, 01 
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2. X e K, y e G and z G (3{y), or 

3. X e K, y e N and z G /(a;,y). 

Intuitively, M represents w and / if it encodes all the interpretations of basic principal expres- 
sions given by w and I. The following result, whose straightforward proof is left to the reader, 
shows that in this case M also captures the interpretation of all other principal expressions, 
and expresses the correctness of our translation of principal expressions. 

Proposition 5.1: // M represents w and I then, for all principal expressions p and x,y E 
K U G L) N , we have M \= Tx,y{p) iff x,y E: K and w,l,x \= p i — > y. 

We now show how a logic program can be used to capture the relationsip between w and 
Iw For each world w = c), we define a theory (set of sentences) S^j, that characterizes w; 
Hyj consists of the following sentences: 

1. a sentence name(ki, k2, k2), for each pair of keys ki,k2 G K, and 

2. the sentence name(ki, g, k2), for each pair of keys ki,k2 G K and global name g G G such 

that k2 G /3(g), 

3. the sentence V2/(rk,y(q) => name(k, n, y)), for each key k and binding n i — > q in c(k). 

After some equivalence-preserving syntactic transformations (moving the existentials in the 
body of these sentences to the front), the theory is a definite Horn theory, i.e., it consists 
of formulas of the form Vx(i? ^ H), where i? is a (possibly empty) conjunction of atoms (that 
is, formulas of the form name(a;, y, z) ot y = z) and H is an atom. Well-known results from the 
theory of logic programming show that such a theory S has a Herbrand model Ms minimal with 
respect to the containment ordering on Herbrand structures. Moreover, this minimal Herbrand 
model captures the minimal name assignments for w. 

Theorem 5.2: The minimal Herbrand model My, o/S^ represents w and lyj. 

Using Proposition 5.1, we immediately obtain the following corollary. 

Corollary 5.3: For all x,y E K U G U N and principal expressions p, we have M^, \= Tx,y{p) 
iffx,yeK and w,x\=cP i — > y. 

Because S„, is a definite Horn theory, it corresponds to a logic program. Moreover, for 
existential queries, i.e., queries (f) that are sentences formed from atomic formulas using only 
conjunction, disjunction and existential quantification (but not negation), wc have that S entails 
(f) iff Ms \= (j). This enables us to exploit logic programming technology to obtain efficient 
implementations of several types of queries, corresponding to different choices of bound and 
free variables in the predicate "name" . We may even form complex queries not corresponding in 
any direct way to the capacities of the procedure REF2. Examples of this include the following: 

1. the query naine(ki, n, k2) returns "yes" if k2 is bound to the local name n according to ki; 
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2. the query naine(X, n, k) returns the set of keys X such that k is in n according to X; 

3. the query naiiie(ki, X, k2) returns the set of global and local names X containing k2 
according to ki. 

4. the query name(ki,n, X) Anaine(k2,n, X) returns the set of keys X that ki and k2 agree 
to be associated with local name n. 

Many more possibilities clearly exist. These observations show the advantage of viewing name 
resolution in a logic programming framework. 

6 Self 

Abadi considers an extension of his logic obtained by adding a special basic principal expression 
Self, intended to represent SDSI's expression (ref :). (We remark that Self is essentially the 
same as / in the logic of naming considered in [GH93].) Intuitively, Self denotes the current 
principal. The semantics given to Self by Abadi extends the definition of the set of principals 
associated with a principal expression by taking |Self Jo = {a} for each a G W. This suffices 
to validate the following axiom. 

Identity: Self's p i — > p p i — > Self's p 
p's Self I — > p p I — > p's Self 

These axioms very reasonably capture the intuitions that Self refers to the cTirrent principal. 

However, not all consequences of this semantics for Self are so reasonable. For example, 
the following is valid under Abadi's semantics: 

(kp says US i — > Self) A (kp says US i — > kyp) , , 

kp says ((US says false) V (Self i — > kyp)) ^ ^ 

Interpreting kp as the key of the president of the US and kyp the key of the vice-president, this 
is clearly unreasonable. It should not follow from the fact the the president says that both he 
and the vice-president speak for the US that according to the president, either the US speaks 
nonsense or the vice president speaks for the president. 

Abadi's suggested semantics for Self works much better in the context of the logic LLNC. 
Suppose we extend this logic to include Self, and like Abadi, define [Self ]k = {k} for keys k G 
K. This again validates the Identity axioms above. To get completeness, we just need to add one 
axiom in addition to Identity, which basically says that Self acts like a key (cf. Nonemptiness 
(d)): 

Self-is-key Self i — > p A p's k i — > k =^ p i — > Self. 

Let AX*^J (resp., AX^^'^) be the result of adding Identity and Self-is-key to AXj„j (resp., 
AXfin). Let LLNC be the language that results when we add Self to the syntax. 

Theorem 6.1: AX^'J (resp., AX'jfJf ) is a sound and complete axiomatization of LLN(7 with 
respect to the open semantics if K is infinite (resp., K is finite). 



19 



Propositions 3.3 and Theorem 3.5 hold with essentiahy no change in proof for LLNC^; it 
follows that AX^^-^ (resp., AXj^J) is also complete with respect to the closed semantics and the 
satisfiability problem is NP-complete. 

Interestingly, the proof of completeness shows that once we add Identity and Self-is-key to 
the axioms, we no longer need Current Principal as an axiom in the finite case. Here is a sketch 
of the argument: From Identity we get that Self's k i — > k is provable for any key k. Now 
applying Witnesses, we get that VkexSelf i — > k is provable. Together with Self-is-key, this 
says that Self is one of the keys in K. Identity (together with Transitivity) tells us that for 
that key k that is Self, n i — > k' <^ k's n i — > k' holds, giving us Current Principal. 

Note that with our semantics for Self, the counterintuitive conclusion (1) does not follow. 
From kp cert US i — > Self and kp cert US i — > kyp it follows that |US]kp ^ {kp,kyp}. Thus, 
we have neither |US|kp = nor {kyp} 2 [USjkp, which would be required to get a conclusion 
similar to that drawn by Abadi's logic. 

7 Conclusions 

We have introduced a logic LLNC for reasoning about SDSI's local name spaces and have 
argued that it has some significant advantages over Abadi's logic. Among other things, it 
provides a complete characterization of SDSI's REF2, has an elegant complete axiomatization, 
and its connections with Logic Programming lead to efficient implementations of many queries 
of interest. 

We believe that some of the dimensions in which Abadi's logic differs from SDSI warrant 
further investigation. For example, under some sensible interpretations, the conclusions reached 
by Abadi's logic in Example 2.4 are quite reasonable. One such interpretation is that while local 
names may be bound to more than one key, they are intended to denote a single individual. If 
k knows that ki and k2 are two keys used by the one individual Lampson, and Lampson uses 
ki to certify that his local name Ron is bound to the name Rivest, and also uses his key k2 to 
certify that his local name Rivest is bound to ks, then it is very reasonable to conclude that 
k's Lampson's Ron is bound to ka. Another interpretation supporting this conclusion would be 
that says aggregates the certificates issued using a number of distinct keys (possibly belonging 
to distinct individuals) much in the way that the notion of distributed knowledge [FHMV95] 
from the literature on reasoning about knowledge aggregates the knowledge of a collection 
of agents. We believe that our semantic framework, which, unlike Abadi's, makes the set of 
certificates issued explicit, provides an appropriate basis for the study of such issues. 

Our semantic framework also lends itself to a number of generalizations, which we are 
currently exploring. These include reasoning about the beliefs of principals and reasoning 
about permission, authority, and delegation. We hope to report on this work shortly. 

A Proofs 

In this appendix, we prove all the technical results stated in the main text. For ease of exposi- 
tion, we repeat the statements of the results here. 



20 



Theorem 3.1: Given a world w, there exists a unique local name assignment 1^ minimal in 

the set of all local name assignments consistent with w. Moreover, if ^ is a principal expression 
and ki and k2 are keys, then w, lw,^i \=o P ' — ^ ^2 iff, for all local name assignments I consistent 
with w, we have w, I, ki |=o p i — > k2. 

Proof: This resuh can be established using standard results from the theory of fixed points. 
Suppose (X, <) is a complete partial order. Denote the least upper bound of a set y C X 
by UY. A mapping T : X ^ X is said to be monotonia if for all x < y in X we have 
r(x) < T{y). Such a mapping T is said to be continuous if for all infinite increasing sequences 
xq < xi < . . . in X we have T(U{xj : i € N}) = \J{T{xi) : i G N}. Note that continuity 
implies monotonicity. To establish continuity of a monotonic mapping T, it suffices to show 
that T{U{xi : i G N}) < \J{T{xi) : i G N}, since the opposite containment is immediate 
from monotonicity. 

For a fixed expression p, world w and key k, the expression |p]«,,z,k is easily seen to be 
monotonic in I, i.e., if I < I' then [p]u;,/,k ^ [p]u),/',k- Moreover, it is also continuous in I. 

Lemma A.l: Suppose Iq < li < . . . is an increasing sequence of local name assignments and 
let l^ = U^gisr/^. For all principal expressions p, we have Mw,i^,k = UmeN[pL,/m,k- 

Proof: By a straightforward induction on the structure of p. I 

Given the world w = (/?, c), we define an operator T^, on the space of local name assignments 
LNA. For a local name assignment I, we define Tyj{l) to be the local name assignment such 
that for all k G -fC and n e N, the set T^(/)(k, n) is the union of the sets |pl«;,z,k such that the 
formula n i — > p is in c(k). The following lemma is follows easily from Lemma A.l. 

Lemma A. 2: The mapping Tyj is a continuous operator on (LNA, <). 

The following lemma is almost immediate from the definitions. 

Lemma A. 3: A local name assignment I is consistent with a world w iffTy^il) < I. 

Suppose {X, <) is a complete partial order with minimal element ±. An element x G X is 
said to be a pre-fixpoint of an operator T on X if T{x) < fixpoint of T if T(x) = x. 

Given an operator T on X, define a sequence of elements T | 7, where 7 is an ordinal, as follows. 
For the base case, let T | = ±. For successor ordinals 7 + 1, define T | 7 + 1 = T(T | 7). 
For limit ordinals 7, define T t 7 = U{T ^ S : 5 < 7}. A well-known result (see [LNS82] for 
a discussion of its history) states that if T is continuous then then this sequences converges to 
the least pre-fixpoint of T, that convergence has taken place by 7 = a;, and that T | a; is in fact 
a fixed point of T. Thus, we obtain as a corollary of Lemma A. 2 and Lemma A. 3 that there 
exists a minimal local name assignment consistent with w, and that this local name assignment 
equals Tyj ^ lo. The second half of Theorem 3.1 is immediate from the earlier observation that 
[plw,/,k is monotonic in /. | 

Theorem 3.2: AX fin (resp., AX-inf ) is a sound and complete axiomatization of LLNC with 
respect to the open semantics if K is infinite (resp., K is finite). 
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Proof: We start with the eompleteness proof for AXj„j, so that we assume that K is infinite. 
We then show how to deal with AX^„. As usual, it suffices to show that if is AXj„j-consistent, 
then 4> is satisfable. In fact, we put a little extra work into our proof that cp is satisfiable so 
that we can prove Proposition 3.3 as well. 

Let Sub(0) consist of all subformulas of ^. We say that a principal expression p' is a 

variant of p if p i — > p' and p' i — > p are both provable using only Reflexivity, Associativity, 
and Transitivity. The left-associative variant of a principal expression p is the one where we 
associate all terms to the left. Thus, ((ni's n2)'s n3)'s n4 is the left-associative variant of 
ni's ((n2's n3)'s n4). 

Define P to be the smallest set of principal expressions such that 

1. if p I — > q is in Sub((/>) then p and q are in P, 

2. if k cert (n i — y p) G Sub(^) then k's n and k's p are in P, 

3. if p G P and p' is the left-associative variant of p, then p' G P, 

4. P is closed under subexpressions, so that if p's q G P, then so are p and q, 

5. if k € P is a key and n € P is a local name, then k's n € P. 

For Proposition 3.3, it is necessary to get an upper bound on the size of P in terms of \^\. 
Lemma A. 4: |P| < 2 • 

Proof: Let |p| be the total number of expressions in G Li K Li N that appear in p, counted 
with multiplicity. An easy proof by induction on structure shows that a principal expression p 
has at most |p| subexpressions, at least one of which must he in G L) K L) N. For every other 
subexpression q, there is a unique left-associative variant q', which has at most |q'| = |q| < |p| 
subexpressions, each of which is associated to the left. Thus, starting with a principal expression 
p, the least set closed under clauses 3 and 4 above contains at most |p|^ elements. Now a 
straightforward induction on the structure of (p shows that the least set P' closed under clauses 
1-4 above has at most |0p expressions. Finally, it is easy to see that closing off under 5 gives 
us P, since the set that results after closing off under 5 is still closed under 1-4. Moreover, this 
final step adds at most expressions k's n, since both k and n must be subexpressions of (f). 
I 

Let kg be some key not occurring in P. We use ko both to express emptiness of expressions 
in P and as the "current principal". Define Pi to be the set of principal expressions PU {kg} U 
{p's ko : p G P}. Let E be consist of the formulas p's kg i — > kg for each p G P. Note that all 
principal expressions occurring in the formulas in E are in Pi . Let S be an AXj„j-consistent set 
containing (j) and, for every formula ip G Sub(0)U£', either tp or ^ip. Since cp is AXi„j-consistent, 
there must be some AXj„j-consistent set S of this form. 

Define = Cl{S,Pi) to be the smallest set of formulas containing S closed under Reflex- 
ivity, Transitivity, Left Motonocity, Converse of Globality, Globality, and Nonemptiness, in the 
sense that 
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(CIR 
(CIT 
(CILM 
(CICG 
(CIG 
(CIKL 
(CIK 
(CIN 
(CIC 
(CINE 
(CIKD 
(CILV 



f p e Pi, then p I — > p G 5+, 
f p I — > q and q i — > r are both in 5+, then p i — > r G 5+, 

f p I — > q € S^, p's r G Pi, and q's r € Pi, then p's r i — > q's r G S~^, 
f p's g G Pi for g G U G then g i — > p's g G S+, 

f p's k I — > k G S"^ for some key k and p's g G Pi, where g G KUG, then p's g i — > g G S'^, 
f k cert (ni — ^ p) G S+ then (k's n i — s- k's p) G 5+, 
f p I — ^ k' G 5"+ and p's k G Pi, then p's k i — > k G S+, 
f ^(p I — s- q) G 5+ and q's k G Pi, then q's k i — > k G 5+, 
f p's q I — > ki G 5+ and p's k G Pi, then p's k i — > k G 5+, 
f p's k I — > k and k' i — > p are both in 5+, then p i — > k' G 5+, 
f k and k' arc distinct keys in P, then -i(k i — > k') G , 

If p' is the left-associative variant of p G P, then p i — > p' G and p' i — > p G S'"'". 



It is easy to see that 5"*" is AXj„y-consistent, since S is and each of the closure rules emulates 
an axiom in AXj„j. Our goal now is to show that there exists a triple w, I, k such that lu, Z, k |= 
for all ip & S (and thus, in particular, w,l,'k \= (p). 

Lemma A. 5: //ko appears in the formula p i — > q G S'^ , then ko appears in both p and q. 



Proof: An easy induction on the construction of , using the fact that all principal expressions 
occurring in are in Pi and kg appears only as the right most expression in a principal 
expression in Pi. | 

By Lemma A.5, if p i — > q G and one of the expressions p, q is in P (and thus does not 
mention ko) then so is the other. Define a binary relation ~ on P by defining p ~ g if both 
p I — > q and q i — > p arc in . It is immediate from transitivity and reflexivity that is an 
equivalence relation on P. Given p G P, we write [p] for the equivalence class of p under ~. 

We classify the expressions in P as follows. Say that an expression p in P is empty (with 
respect to S~^) if -■(p's ko i — > ko) is in S~^. Say that p is key- equivalent if it is not empty and 
k I — > p is in S'^ for some key k (by (CINE) this implies p k) . Intuitively, the interpretation of 
an empty expression will be the empty set and the interpretation of a key-equivalent expression 
p such that k i — > p G will be {k}. If p is neither empty nor key-equivalent, we say it is 
open. Clearly, every expression in P is either empty, key-equivalent, or open. Moreover, by 
(CILM) and (CIT), if p q then p is empty, key-equivalent or open iff q is. In particular, we 
may sensibly refer to open Ri-equivalence classes of expressions in P. 

Let O be the set of open equivalence classes of expressions in P. Note that if C K consists 
of all the keys in K that appear in cp, then there are fewer than 2 • |0p — \K^\ equivalence classes 
of open expressions. For each class c G O, let kg be a fresh key. Intuitively, the key kg will 
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act as a canonical representative of the keys in the interpretation of an expression p G c, in 
the sense that the interpretations of p's q and kc's q will be the same for certain expressions q. 
Since K is infinite, we are guaranteed that we can always find keys kc, but the argument works 
even if K is finite, as long as \K\ > 2 • \(f)\'^. (We also need to have a key in K \ to be ko.) 

Define S* to be consist of S'^ together with, for all c G O, 

1. the formula kg i — > kg, and 

2. the formulas p i — > kc, where for some q G c we have p i — > q G 5"*". 

It is easy to show that ko does not appear in any formula in S* — S'^: Clearly ko does not 
appear in the formulas kg i — > kc added by clause 1. If p i — > q is a formula added by clause 2, 
then there is some equivalence class c and expression q G c such that p i — > q G S^. Since c is 
an equivalence class of expressions in P, none of which contain ko, the expression q does not 
contain ko. It follows from Lemma A. 5 that p does not contain ko- Since S* — 5+ contains no 
formulas involving ko, S* also satisfies the property stated for S'^ in Lemma A.5. 

Define the local name assignment I as follows. Given a key k and local name n, 

1. ^(ko,n) = {k' G I n ^ k' G S*}, 

2. /(k,n) = {k' G K I k's n I — ^ k' G S*} if k G P, 

3. /(k, n) = {k.' e K \ p's n i — s- k' G S* and p G c} if k = kc for some c G O, 

4. /(k,n) = for all other k. 

Define the world w = (/3, c) by taking /3(g) = {k. G K \ g i — > k G S*} and defining c(k), 
for each key k, to be the set of formulas n i — > p such that (k cert (n i — > p)) G S. Note for 
future reference that there exists a finite subset Ki of K such that /(n,k) C Ki, i(n, k) = for 
k ^ Ki, /3(g) C Ki, and /3(g) = if g does not appear in <p. Indeed, Ki consists of the keys 
that appear in S, ko, and the keys kc for c G O. 

Let /(p) = {kGii:|pi — ^kG S*}. 
Lemma A. 6: IfpeP, then p is empty iff I{-p) = 0. 

Proof: If p is not empty, then it is either key-equivalent or open. If it is key-equivalent, we 
have already observed that there must exist some key k' such that p i — > k' G S*, so I(p) ^ 0. 
If it is open, suppose it is in equivalence class c. Then p i — > kc G S"*, since p i — > p G by 
(CIR). Again, it follows that /(p) / 0. 

Conversely, suppose that /(p) ^ 0. Thus, p i — > k G S** for some key k. If p i — > k G S~^, 
then by (CIK), p's ko i — > ko G S"*", so p is not empty. If p i — > k ^ S'^, then k = kc, and there is 
some q G c such that p i — ^ q G . Since q is open, q cannot be empty, so q's ko i — > ko G 5+. 
Moreover, by (CILM), p's ko i — > q's ko G S+. Thus, by (CIT), p's ko i — s- ko G S+, so p is 
nonempty. | 

Lemma A. 7: For all expressions p G P, we have ljp}w,l,iio = -^(p)- 
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Proof: We proceed by induction on |p| (as defined in Lemma A. 4). The claim is immediate 
from the definitions in case p is a global name or a local name. Suppose that p is a key ki. 
Then [pjuj.i.ko = {ki}- Since ki i — > ki G S* by construction, it follows that ki G /(ki). It 
remains to show that /(ki) C {ki}. Suppose (ki i — > k) G S*. By Lemma A. 5, we cannot have 
k = kg. Since S'^ is AXj„j-consistcnt and closed under (CIKD), if k G P we must have ki = k. 
The remaining possibility for k, that it equals kc for some c G O, cannot happen. For if so, 
only the second clause of the definition of S* could explain (ki i — > k) G 5* . But then we have 
(ki I — > q) G 5+ for some q G c. This contradicts the assumption that c is an equivalence class 
of open expressions. 

Finally, suppose that |p| > 1. Let p' be the left-associative variant of p. It is clear from the 
semantics that [p|u;j.k() = [pl«),/,ko- Morover, (CILV) and (CIT) guarantee that /(p) = /(p')- 
Thus, it suffices to prove that /(p') = |p']M),i,ko- Suppose that p' = q's r. The definition of 
length guarantees that |p'| = |p| > |q|, so the induction hypothesis applies to q. Since p' is 
associated to the left, r e G LI K U N. 

Suppose that r = g e GU K. Note that |q's gl^,/,ko = if Iql«;,i,ko = and |q's g}w,l,iio = 
[g]uij,k() if [qluij.ko 7^ 0- We consider these two cases separately. 

Suppose first that [qltt;,i,ko = 0) so [p'l^ujjijko = 0- By the induction hypothesis, /(q) = 0. 
To show that /(p') = 0, we show that p' is empty. Suppose not. Then (p')'s ko i — > ko G 5+. 
Since contains either q's kg i — > kg or -■(q's ko i — > ko) and S'^ is AXj„j-consistent, by 
Nonemptiness(c), Associativity, and Transitivity, we must have q's ko i — > ko G S^. Thus, q is 
not empty. By Lemma A. 6, /(q) 7^ 0, a contradiction. Hence, p' is empty. It now follows from 
Lemma A.6 that /(p') = 0, as desired. 

Consider next the case where [q]tt,,/,ko 7^ 0, so [p'U,i,ko = [q's gL,/,ko = [gL,/,ko- To show 
that |p']u;,/,ko = -'^(pO) show that /(p') = -'^(g)- The result then follows from the induction 
hypothesis. 

By the induction hypothesis, /(q) 7^ 0, so by Lemma A.6, q is not empty. It follows from 
(CIG) that q's g I — > g G S+. Suppose that k G /(g). If k G Pi, then g 1 — k G 5+, so by 
(CIT), q's g I — ^ k G 5+ and k G I(jp'). If k = kc for some c G O, then g 1 — > q' G 5+ for some 
q' G c. Thus, p' 1 — > q' G S+ by (CIT) and we obtain that p' 1 — > k G S* by construction of S*. 
Thus, /(g) C /(p'). 

For the opposite containment, note that by (CICG) we have g 1 — > q's g G S^. Arguing as 
above, we obtain using (CIT) that /(g) D /(p')- This completes the proof that /(p') = /(g). 

It remains to deal with the case that p' has of the form q's n, where n is a local name. There 

are three possibilities: q is empty, key-equivalent or open. If q is empty, then by Lemma A.6 and 
the induction hypothesis, /(q) = and [q]ui,i,ko = 0- It follows that |p']w,i,ko = 0- Moreover, 
using Nonemptiness(c), Associativity, and Transitivity as above, it follows that p' is empty and 
hence by Lemma A.6, /(p') = 0, as desired. 

If q is key-equivalent, say q ki, then q 1 — > ki G S'^ and ki 1 — > q G 5"*". Using Key 

Distinctness and the consistency of S~^, it easily follows that /(q) = {ki}. By the induction 
hypothesis, |ql^,i,ko = {^i}- Thus, |[p']«,,;,ko = K'^i,^)- By construction, Z(ki,n) = /(ki's n) = 
/(p'), as desired. 

Finally, suppose that q is open. If k G /(p'), then it is immediate from the construction 
that that q 1 — > k[q] G S* and k G Z(k[q],n). By the induction hypothesis, k[q] G |q]u;,i,ko) so 
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k e [p'l«,,/,ko = Uk'6lq]^ , k^Kk'>Ji)- Thus, /(p') C Ip']^,i,ko if p' is open. 

For the opposite containment, suppose that k S [p'l«),/,ko- This means that there is some 
key k' such that k' € hl«),/,ko ^^^d k € Z(k',n). By the induction hypothesis, k' € /(q), so 
q I — ^ k' G 5*. If k' G Pi, 'then q i — ^ k' G 5+ and (k')'s n i — ^ k G 5+. (Since q G P and 
q I — > k' G S*, we cannot have k' = ko, by Lemma A.5.) By (CILM), q's n i — > (k')'s n G S^, 
so by (CIT) we get q's n i — > k G S*"*". Hence, k G /(p')- If k' = kc, where c is an open 
equivalence class, then from q i — > k' G S* it follows that q i — > q' G for some q' G c. 
From k G i(kc,n) it follows that (r')'s n i — > k G 5* for some r' G c. By construction of 
we must have (r')'s n G Pi, and since r' q', we have q' i — > r' G S'^. By (CIT) we obtain 
q I — > r' G /S"*", and hence by (CILM) that q's n i — > (r')'s n G S*"*". Now notice that it follows 
from q's n i — > (r')'s n G 5+ and (r')'s n i — > 'k £ S* that q's ni — > k G S* . If k G Pi, this is 
immediate from (CIT). In case k = k^/ for some open class d, we have (r')'s n i — > t G for some 
ted. But then q's n i — > t e S+ by (CIT); by definition of S* we get that q's n i — s- k G 5*. 
This completes the proof. I 

Lemma A. 8: For all formulas ijj G Suh{(f)) U E, we have ip E S iff w, 1,^0 |=o V'- 

Proof: We first show that by induction on the structure of V' S Sub((/)) U E that G S iff 
■u;, Z, ko 1= "0) ^iid then show that the assignment I is consistent with w. 

It is immediate from the construction of w that li;, Z,ko |= iff G for of the form 

k cert (n i — > p). 

If V has the form p i — > q, note that w,Z,ko |= p i — > q iff [pl«,,/,ko 5 [qlw,«,ko iff (by 
Lemma A. 7) iff I(p) D /(q). Thus, it suffices to show that /(p) D /(q) iff p i — > q G 5+, for 
p,qG P. 

The "if" direction is immediate from (CIT): If k G I(q) then q i — ^ k G 5*, so by (CIT) and 

the construction of S"*, p i — > k G S"* and thus k G I(j>)- 

For the "only if" direction, suppose by way of contradiction that /(p) ^ /(q) but p i — > q ^ 
5'+. Then, by construction, -i(p i — > q) G S'^. We consider three cases, depending on whether 
q is empty, key-equivalent, or open. 

Note first that q cannot be empty: -i(p i — > q) G /S^, so by (CIN) we have q's ko i — > ko G 5+. 

Suppose that q is key-equivalent, with k i — > q G S~^. If p i — > k G then, by (CIT), 
p I — > q G , but this is not possible because is AXj„j--consistent. Thus p i — > k ^ S~^. 
Since k G P, p i — > k ^ 5*, and thus k G /(p) — /(q), giving us the desired contradiction. 

Finally, suppose q is open. By construction, q i — > k^qj G S*. Moreover, we cannot have 
p I — > k[q] G S*, for then there would exist r q such that p i — > r e S'^. Using (CIT), 
it would follow that p i — > q G S~^, which is impossible since is AXj„j-consistent. Thus, 
k[q] G /(p) — /(q), giving the required contradiction, and completing the proof in the case that 
i/j is of the form p i — > q. 

If is of the form -i-i/^' or -01 A V'2; the result is immediate from the induction hypothesis 
(in the latter case, we need the fact that if V'l A '(/;2 G Sub(0) U E, then in fact ip Aip2 ^ Sub((/)), 
so V'i)V'2 £ Sub((/>) and the induction hypothesis applies). This completes the induction proof. 

To show that the assignment / is consistent with w, suppose that n i — > p G c(k). Then, by 
construction, k cert (n i — > p) G S. By (CIKL), we have k's n i — > k's p G S~^. By what we have 
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just shown tf,Z,ko |= k's n i — > k's p. It follows that w,l,'k. |= n i — >■ p. Thus, I is consistent 
with w. I 

Thus, wc have shown that (f) is satisfiablc, completing the proof of Theorem 3.2 in the case 
that K is infinite. The same argument works without change if K is finite but \K\ > 2 - (A 
consequence of this is that we do not need to use the axioms Witnesses and Current Principal to 
derive a valid formula (f) in AXjin if2-|(^p < Moreover, the proof shows that Proposition 3.3 

holds if |i^| > 2 • \(f)\^. 

Now suppose that K < 2 ■ We show that if (j) is AX^„-consistent, then (f> is satisfiable. 
The proof is in the spirit of that in the case of AXj„j, but simpler. 

Now let P be the least set of principal expressions containing all principal expressions that 
appear in (f) and closed under subexpressions. Let F consist of all formulas of the form p i — > k' 
and k's p i — > k', where p G -P and k, k' G K. Let S be an AXyj„-consistent set containing cf) 
and, for every formula ip € Sub((?!)) U F, either ip or -1-0. Since (f) is AXyj„-consistent, there must 

be some AX^„-consistent set 5 of this form. 

There must be some key ko € -fC such that for every local name in P and key k € iC, we have 
n I — > k G S iff ko's n i — > k G 5. For otherwise, for each key k, there is some local name nk and 
key kk such that either both nk i — > kk and -i(k's iik i — > kk) are in S or both -■(nk i — > kk) and 
k's Hk I — > kk are in S. This means that S is inconsistent with the axiom Current Principal. 
Define the local assignment I so that /(k, n) = {k' : k's n i — > k' G S}. Similar to the case for 
AXinf, define the world w = {(3, c) by taking /3(g) = {k G | g i — > k G S^} and defining c(k), 
for each key k, to be the set of formulas n i — > p such that k cert (n i — ^ p) G S. 

Now we have the following analogue to Lemma A. 8. 

Lemma A. 9: For all formulas G Suh{(t)) U F, we have ip ^ S iff w, /,ko |=o V'- 

Proof: Again we first show that by induction on the structure of ^ G Sub((^) U E that ip ^ S 
iff kg \= and then show that the assignment / is consistent with w. 

It is immediate from the construction of w that u',l,ko \= ip iS ijj G S for of the form 
k cert (n i — ^ p). 

We next show that the result holds if i/j is of the form p i — > k', for p G P, by induction 
on the structure of p. We strengthen the induction hypothesis to also show that w,l,'kQ \= 
k's p I — > k' iff k's p I — > k G S". If p is a key ki, then Wjljko \= ki i — > k' iff k' = ki and by 
Reflexivity and Key Distinctness, ki i — > k' G 5 iff ki = k'. Similarly, w, I, ko |= k's ki i — > k' iff 
w, I, ko 1= ki I — > k' iff ki i — > k' G 5 iff k's ki i — > k' G S, by Transitivity, Key Globality, and 
Converse of Globality (using the fact that S is AXyj„-consistent). 

If p is a global identifier g, w, /, kg ^ g i — > k' iff g i — > k' G S by the definition of p. The 
argument for k's g i — > k' is identical to the case that p = k. 

If p is the local name n, then w,l,'k.Q \= n i — > k' iff k' G /(ko,n) iff kg's n i — > k' G S" iff 
n I — ^ k' G S, by choice of ko. Similarly, w, I, ko |= k's n i — ^ k' iff k' G /(n, k) iff k's n i — ^ k' G S. 

Finally, if p is of the form q's r, then w, I, ko \= q's r i — > k' iff there exists a key k" such 

that «;,/,ko |= q i — > k" and ty,Z,ko |= (k")'s r i — > k' iff (by the induction hypothesis) there 
exists a key k" such that q i — > k" G 5 and (k")'s r i — > k' G S" iff q's r i — > k' G 5. The 
"only if" direction of the last equivalence follows using Left Monotonocity and Transitivity; the 
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"if" direction follows from Witnesses. The argument for k's (q's r) i — > k' is identical, using 
Associativity: w, I, kg \= k's (q's r) i — > k' iff there exists a key k" such that w, I, ko \= k's q i — > 
k" and u),/,ko |= (k")'s r i — > k' iff there exists a key k" such that k's q i — > k" € S and 
(k")'s r I — ^ k' G 5 iff k's (q's r) i — ^ k' G S. 

We now continue with our induction in the case that p i — > q. Note that wj,]^ |= p i — > q 
iff w, ko ^ q I — > k' implies w, /, ko ^ p i — > k' for all k' G ii' iff (by the induction hypothesis) 
q I — > k' G 5 implies p i — > k' G S' iff p i — > q G 5. The "only if" direction of the last equivalence 
follows immediately from Transitivity; the "if" direction follows from Witnesses. 

We complete the induction proof by observing that if tp is of the form -itp or V'l A V'2 , the 
result follows immediately from the induction hypothesis. 

To show that I is consistent with w, suppose that n i — > p G c(k). By construction, this 
means that k cert (n i — > p) G S. By Key Linking, we must also have k's n i — > k's p G S". By 
what we have just shown, w, I, ko \= k's n i — > k's p. It follows that ^, k |= n i — > p. Thus, / is 
consistent with w. I 

This completes the proof of Theorem 3.2 in the case that K is finite. Note that since we 
can assume without loss of generality that |i^| < 2 • |0p here (otherwise the argument for the 
case that K is infinite applies) the proof also shows that Proposition 3.3 holds. I 

Theorem 3.5: The same formulas are c-valid and o-valid; i.e., for all formulas (f), we have 
K ^ iff \=c <t>- 

Proof: We show that -i^ is o-satisfiable iff -i^ is c-satisfiable, which is equivalent to the claim. 
The direction from c-satisfiability to o-satisfiability is straightforward: Since for every world w 

the local name assignment 1^ is lu-consistcnt, it follows from ii;,k |=c -^(j) that w,ly],'k. |=o -^<j). 
Thus, it remains to show that if -10 is o-satisfiable, then it is c-satisfiable. 

So suppose that -i^ is o-satisfiable. By Proposition 3.3, there is a world w = {P,c), local 
name assignment I, and principal k such that w,/,k \=o -xp and a finite subset K' of K such 
that Z(k',n) C K' for all k' G if and n G iV, and /3(g) C K' for all global names g. By standard 
propositional reasoning, ^(p is equivalent to a disjunctive normal form expression in which the 
atoms are of the form p i — > q and ki cert ip, where p and q are principal expressions, ki is a 
key, and is a formula. If w, I, k ^(p then one of the disjuncts a is satisfied, i.e., w, I, k o"- 
Suppose that a is the conjunction of the formulas in the set AU B, where 

1. ^ is a set of formulas of the form p i — > q or -i(p i — > q), 

2. S is a set of formulas of the form ki cert ip or -i(ki cert ip). 

Let be the set of keys that appear in the formula ^ together with K' and k. Let 
be the set of local names that appear in (p. Define the world w' = (/?', c') as follows. Take 
the interpretation of global names /?' to be equal to /3, the interpretation of global names in w. 
Define c' by taking the set of certificates c'(k') to be the empty if k' ^ and to consist of 
c(k') together with all certificates of the form n i — > Pk",</) if G K^, n G N^, and k" G Z(n, k'), 
where Pk",^ is a principal expression of the form (k")'s (k")'s . . . (k") that does not appear in 
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(j). (Clearly we can make the expression sufficiently long so as to ensure it does not appear in 
(p.) Clearly Uk'gxc(k') is finite. 

We show that w'j'k \=c a. It follows from this that w' ,'k \=c ^4>. Note first that from the 
fact that c(k') C c'(k') for all k', it follows that w' |=c k' cert ip for all formulas k' cert in 
B. Moreover, if -i(k' cert tp) is in B then, since the expressions Pk",^ on the right-hand side of 
the certificates in c'(k') — c(k) do not appear in it follows that ■u;',k |=c -i(k' cert Thus 
w',k K B. 

It remains to show that the formulas in A are satisfied. To show this, we show that 

1^,{ti, k') = /(n, k') for all n € 7V<^ and k' € K^. (2) 

It easily follows from (2), the fact that all keys in (p arc in K' , and the fact that global names 
have the same interpretation in w and w' that |[plM,',/^,,k' = [blu;,/,k' for all principal expressions 
p occurring in A and all keys k' G if^. This in turn is easily seen to imply that w' |=c A. 

It remains to prove (2). It is almost immediate from the definition of I' that Z^/(n, k') D 
Z(n, k') for all n G A'^^ and k' G Kfp. For the opposite containment, we prove by induction 
on j that {Tyji ] j)(n,k') C Z(n, k') for ah j G N, n G N^, and k' G K^. The base case 
j = is trivial. For the induction step, suppose that j = j' + 1 and k" G (T^/ j j)(n, k'). 
Thus, k" G {Tyj'{Tyj' f /))(^)^')) which means that k" G |plu,',T^,fj',k' for some principal 
expression p such that n i — > p G c'(k'). There are two possibilities: (1) n i — > p G c(k') or 
(2) n I — > p G c'(k') — c(k'). In case (2), p must be of the form pki,<^ so |pIu,',t ,Ti',k' = {ki} 
and ki = k". But in this case, by construction, k" G l(n, k'). In case (1), using the induction 
hypothesis and the fact that global names and keys in p have the same interpretation in w 
and w' (this interpretation being a subset of K'), we get that [p]w',T„/Ti',k' Q lp}w,i,k'- Thus, 
k" £ [plw,«,k'- Because / is u;-consistent and n i — y p G c(k'), we again obtain that k" G Z(n,k'), 
as required. 

Since /^^/(n, k') is the union of the (T^/ j j)(n, k'), it follows that Z^/(n, k') = /(n, k'). This 
completes the proof of (2) . | 

Proposition 3.8: Let T be any c-satisfiable boolean combination of formulas of the form 
k cert (j), and let A be any boolean combination of formulas of the form p i — > q where neither 
p nor q contains a local name. Then |=c F =^ A ij^ |=c A. 

Proof: Clearly |=c A implies T =^ For the converse, suppose by way of contradiction 
that |=c F =^ A and there is a world w = {P, c) and a principal k such that w, k |=c -'A. Since 
F is assumed to be c-satisfiable, there exists a world w' = {(3', d) and a principal k' such that 
w' |=c F. Let w" be the world {P,cf). Then a straightforward induction shows that for all 
principal expressions p not containing a local name, we have [p]w)",i^„,k = Iplw,/u,,k- Moreover, 
for all keys ki and formulas (p, we have w",k \=c ki cert (p iff w' ,k' \=c ki cert <p. It follows that 
u)", k |=c F A -lA, giving us our desired contradiction. | 

Theorem 4.1: Suppose ki,k2 are principals, w = {(3,c) is a world, and p is a principal 

expression. Let Ey. be the set of all the formulas g i — > k for all global nam,es g and keys 
k G /3(g) and the formulas k cert (p for all keys k and formulas (p G c(k). The following are 
equivalent: 
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1. ki GREF2(k2,Ac,p), 

2. w,'k2 \=c p I — ^ ki, 

3. w\ k2 |=c p I — > ki for all worlds w' > w, 

4. Ey, \=c k2's p I — > ki, 

5. Ey, 1=0 k2's p I — > ki. 

Proof: The presentation of REF2 in Figure 1 is still slightly informal, combining recursion 
and nondeterminism. To make it fully precise, define a computation tree of REF2 to be a finite 
tree labelled by expressions of the form "ki G REF2(k2, /9, c, p)" , such that if A/' is a node so 
labelled, then one of the following four conditions holds: 

1. p is a key k, we have k = ki = k2, and A'' is a leaf of the tree, 

2. p is a global name g and ki G /3(g), 

3. p is a local name n and c(k2) contains a formula n 1 — ^ q and N has exactly one child, 
labelled "ki G REF2(k2,/3,c,q)", 

4. p is of the form q's r and N has exactly two children, labelled "k G REF2(k2, c, q)" 
and "ki G REF2(k,/3,c,r)", for some key k. 

We take ki G REF2(k2, c, p) to mean that there exists a computation tree of REF2 with root 
labelled "fci G REF2(k2,/3,c,p)". 

Given a world w = (/3, c) and m G N, let Im = T^, ] m. The following result establishes 
a correspondence between the stages of the computation of 1^ and the computation trees of 
REF2. The proof is by a straightforward induction on m, with a subinduction on the structure 
of p. 

Lemma A. 10: For all m G N, keys ki, k2, worlds w = (/?, c), and principal expressions p, we 
have ki G [p]M),im,k2 'i-ff there exists a computation tree o/REF2 of height at most m whose root 
is labelled "ki G REF2(k2,/3,c,p)". 

Using the fact that lyj = \J{lm '■ m G N}, Lemma A.l, and Lemma A. 10, we obtain the 
equivalence between (1) and (2). 

The proof of the implication from (2) to (3) is by a straightforward induction on the structure 
of p; that is, for fixed w' > w, we show by induction on the structure of p that if w,'k2 \=c 

p I — > ki then tf',k2 P ' — ^ ^i. The opposite implication from (3) to (2) is trivial, since 
w > w. For the implication from (3) to (4), suppose that (3) holds and (4) does not. Then 
for some world w' and key k we have w',k |=c E^, and i(;',k |=c -'(k2's p 1 — > ki). The 
latter implies ■«;',k2 |=c -i(p 1 — ^ ki). Since ■iw^k |=c -E^, it follows that w' > w. Thus, by (3), 
w','k2 \=c P ' — > ki, contradicting our assumption. The implication from (4) to (3) is immediate, 
since w','k2 \=c E^ for all w' > w. Finally, the equivalence between (4) and (5) is just a special 
case of Theorem 3.5. I 
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Proposition 5.1: If M represents w and I then for all principal expressions p and x,y G 
K U G (J N we have M \= Tx^yip) iff x,y & K and w,l,x |= p i — > y. 

Proof: By a straightforward induction on the structure of p. The base cases, where p G 
K L) G L) N , are immediate from the definition of "represents" and the semantics of the logic. 
The inductive case, where p = q's r, is immediate from the semantics and the definition of the 
translation. | 

Theorem 5.2: The minimal Herbrand model ofY^^ represents w and Iw 

Proof: (Sicetch) The proof proceeds by showing a direct correspondence between the construc- 
tion of the minimal Herbrand model of and the fixpoint construction of 

The theory of logic programming [Llo87] associates with the Horn theory T,w an operator 
on the space of Herbrand models on the vocabulary V, defined by name(x, y, z) G $^(M) if 

there exists a substitution instance of a formula in of the form B ^ nanie(x, y, z) such that 
M \= B. The least Herbrand model of Ey, is then equal to $^4, | a; = UmeN T fn, where 
I = and j m + 1 = ^w{^w T rri) for m > 0. 

Let Tyj be the operator on local name assignments defined in the proof of Theorem 3.1. 
Using Proposition 5.1 to handle the rules in corresponding to certificates, we may then 
show by a straightforward induction on m that for all m > 1, the Herbrand model <1> | m 
represents the world w and the local name assignment T^, ] m. It follows that My, = $ | a; 
represents 1^ =Tyj^ uj. I 

Theorem 6.1: AX'^j (resp., AX'^^^ ) is a sound and complete axiomatization of LLN(7 with 
respect to the open semantics if K is infinite (resp., K is finite). 

Proof: The argument is very similar to that in the proof of Theorem 3.2. First suppose that 
K is infinite. 

We add the following clauses to the definition of P: 

6. Self G P, 

7. if n G P is a local name then Self's n G P. 

We also add the following clauses to the definition of 5+, corresponding to the new axioms for 
Self. 

(CISP) if Self's p G P then Self's pi — ^ p G 5+ and p 1 — ^ Self's p G 5+, 
(CIPS) if p's Self G P then p's Self 1 — > p G 5+ and p 1 — > p's Self G 5+, 
(CISE) if Self I — p G 5+ and p's k I — ^ k G S+ then p 1 — s- Self G 5+. 

Lemma A.5 still applies. The definitions following this lemma, up to and including that of 

S* are unchanged. However, the construction of the model changes slightly. We no longer 
use ko to represent the "current principal", instead, we use the key k^, that the construction 
associates with Self. This could be either a key in Pi or one of the keys kg for c G O, depending 
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on whether Self is key-equivalent or open. Note that we cannot have Self empty (thanks to 
the Identity axiom). If Self is key-equivalent, then by (CIKD) it is equivalent to at most one 
key k G P. In this case, we define k* = k. If Self is open we define k* to be kc, where 
c= [Self]. 

We now define w and I exactly as before, except that we now set Z(ko,n) = 0, since we no 
longer use ko as the "current principal." The following lemma is the analogue of Lemma A.7. 

Lemma A. 11: For all expressions p € P, we have lplw,l,ii* = -^(p)- 

Proof: The proof is very similar to that of Lemma A. 7; we just describe the modifications 
required. The base cases for p a global name or a key are identical. 

When p = n is a local name, we proceed as follows. There are two possibilities, depending 
on whether k,, G P or not. Suppose first that k,, G P. Then we have k,, « Self and, by 
(CILM) and (CISP), k*'s n pa Self's n pa n. It then follows by (CIT) and construction of / that 
n I — > k G S* iff k*'s n i — > k G 5* iff k G Z(k*,n), as required. 

If k* = kc for c an open class, we proceed as follows. If k G /(n), then we consider two cases, 
depending on whether k G Pi. If k G Pi, then n i — > k G and it follows that Self's n i — > k 
by (CISP) and (CIT). Since Self pa Self it is immediate that k G [p]u,,i,k,- Alternatively, if 
k = kd, for deO, then we have n i — > q G 5+ for some q G d. By (CISP) and (CIT) it follows 
that Self's n i — > q G S~^, hence Self's n i — > k G S*. As before, this implies that k G [[nj^^j^k^. 

For the opposite inclusion, suppose that k G [n].n,'j,k, • Since we are assuming that Self 
is open, there must be Self such that q's n i — > k G 5*. By (CILM), we have 

Self's ni — !■ q's n G S+. It follows using (CIT) that Self's n i — k G 5*, hence n i — > k G S*. 
This completes the argument for the base case of n a local name. 

There is now an additional base case for p = Self. Here, note that |Self]^^;^k, = {k*}. We 
therefore need to show that Self i — > k G S* iff k = k*. When k* G Pi, we have Self ~ k^,, so 
Self I — > k G S'* iff k* i — > k, and the claim follows by (CIKD) and (CIT) as in the base case 
for keys. The alternative is that k* = kc for c = [Self] G O. Since have Self i — > kc G S* by 
construction of S*, it remains to prove that if Self i — >■ k G S"* then k = kc. Now we cannot 
have Self i — > k G S"* for k G Pi, for then by the argument above that Self is nonempty and 
(CISE), we have k i — > Self G >S'+, contradicting the assumption that c is open. Thus, we must 
have k = k(i for some d G O. In this case, there exists q G d such that Self i — > q G S"^. Since 
d is open, we have q's ko i — > ko G 5+, hence q i — >■ Self G by (CISE). Thus, Self « q, and 
it follows that d = c, hence k = k* as required. This completes the argument for the base case 
where p = Self. 

The inductive case is exactly as before, except that we need to consider the new case 
p's Self. Here, we note that |p's SelfJ^u^^^k, = Ipl«),i,k,- Thus, by the induction hypothesis, we 
are required to prove that p i — > k G 5* iff p's Self i — > k G S*. This follows using (CIPS) and 
(CIT). I 

The remainder of the proof in the case that K is infinite proceeds as before, using k* in 
place of ko- 

If K is finite, the proof is even closer to that for the logic without Self. As sketched in 
the main text, because S is consistent, it follows from Identity, Witnesses, and Self-is-key that 
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there must be some key € such that Self i — > k* G S. For this key k^,, we must have 
k*'s n I — > k G S" iff n i — > k G S". Thus, k* plays the role of kg in the earlier argument. (Note 
that we now no longer need Current Principal to ensure the existence of kg.) The rest of the 
argument is unchanged.) | 
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